[cryptography] Point compression prior art?

Nico Williams nico at cryptonector.com
Fri May 20 18:49:51 EDT 2011

On Fri, May 20, 2011 at 5:40 PM, Paul Crowley <paul at ciphergoth.org> wrote:
> On 20/05/11 23:14, Zooko O'Whielacronx wrote:
>> How about the "Compact Representation", section 4.2, of RFC 6090:
>> http://www.rfc-editor.org/rfc/rfc6090.txt
>> Is that the same "point compression" that you were looking for?
> Sadly not; this is the "discard y, transmit only x" scheme described in the
> original CRYPTO 85 paper introducing elliptic curve cryptography. This
>  works for ECDH, but for protocols such as ECDSA it's harder to see how to
> make do with only one of the coordinates.  Thanks for the reference though!

What about using Shcnorr's signature scheme with ECDH?  Here's DJB
talking about it in the context of his Curve25519, which uses the
discard-y point compression technique:


This would seem adequate to me, and should result in small signatures.


More information about the cryptography mailing list